We have a company that was very invested in our company and was in complete control (51%+) at one time. Since then they lost control of the company and sold it back to the original owners who I work for.

This other company has not been performing and we found out very recently that they have been doing some wrong, possibly criminally wrong, business practices.

It's my sole responsibility to ensure the network stays secure in the advent we part ways, and I feel this could happen at any moment.

We know they have full domain and network level administrative accesses. I have a full list of the devices, accounts, and other securities, but what I am really asking is to know what I don't know how to secure.

How are some ways those guys could get in without administrative access?
How can I ensure they don't have a password tracking software installed that I don't know about?
How can I ensure Exchange (2007) does not have any backdoor accesses or message forwarding/tracking enabled that they could access?
Are there any tools available that will tell me which mailboxes are automatically forwarding?

I apologize if these questions are too vague. Please let me know if you need more information to answer any of these questions and thanks in advance!

>We know they have full domain and network level administrative accesses.

This is your biggest issue. As long as this is true it doesn't matter what you do, they can undo it, no matter what you change, they can change it back.

The only way you can really be sure is to completely disconnect your network from their network, and that may not be practical. If that's not an option, then your best bet is to start documenting everything in preparation for a rebuild.

Concentrate on documenting the current state of the system, make LOCAL backups of both resources and AD, etc.

I'd also add, that if you really suspect possible criminal activity, then software scanning isn't going to be good enough. You'll need to check for physical devices as well, like keylogger dongles and packet sniffers.

How can I ensure they don't have a password tracking software installed that I don't know about?

Some modern Endpoint protection software (i.e. MS Forefront has been noted to detect about 30% of key loggers) can report in if software or hardware is used to capture keystrokes.

How can I ensure Exchange (2007) does not have any backdoor accesses or message forwarding/tracking enabled that they could access?

Exchange is tied-in directly with AD. So an AD User Account audit (combined with a holistic risk analysis) can identify any other avenues in. Including a software inventory scan (Spiceworks will tell you what software like Logmein or others are installed on each server).

Are there any tools available that will tell me which mailboxes are automatically forwarding?

6. Look for and uninstall GoToMyPC/LogMeIn/Similar Software as needed.

---

I think this is a better solution than rebuilding from scratch, unless you're talking about a small number of users and a small number of machines (20-30). If you're talking about hundreds of users - you'll likely try and script recreating accounts - and how can you be sure they haven't slipped in a few extra service accounts you think you need but you really don't? What about disjoining and rejoining all those systems?

I've been in this situation before where the order came down and possible admin account needed to be reset as the admin was being escorted out of the building on (possibly) unfriendly terms In the middle of the work day. Yes, there's going to be an impact to the business - but if you plan ahead it won't be huge. We lost about 2 hours (this was pre-AD and pre-powershell).

Script as much as you can - resetting admin passwords on local machines, force password resets on ALL active directory accounts (service accounts, users, admins and machine accounts) and you won't have to re-invent the wheel.

As for not knowing powershell... Google knows it extremely well. So do apps like PowerGUI.

6. Look for and uninstall GoToMyPC/LogMeIn/Similar Software as needed.

---

Do what you can to do this sooner rather than later, revoke admin access ASAP.

In addition check the firewall to see if there are any ports open that shouldn't be, as they may have installed/setup rdp/vnc/etc and be able to get in and wreck some havoc.

@Bill2718 is right, the chances are if they are criminal they wouldn't balk at having keyloggers and such in place. I highly suggest you do a physical inventory as well, if possible, walk around the office making sure there are no extra laptops/desktops sitting in unused offices, or closets.

Anything not immediately verifiable should be unplugged and if it means a little downtime so be it(i know not easy to get c-suite on board with that) but any devices can do a huge amount of damage.

Keep in mind any scheduled tasks could also compromise you, if they have any idea this may happen they could have scheduled a few bombs to go off later that would give them access.

I would follow all these suggestions in regards to AD, with resetting passwords and permissions. If you have a handfull of users rebuilding a domain is an option, however if the environment is larger, this seem impractical. Depending on how large your environment is this could cause issues for months to come.

I would also lock down the firewall for both traffic coming in and out. this way if there are some kind of backdoors that were put in, this will help mitigate this. mirror the port from your lan into the WAN connection and run a packet sniffer on this. Review this data for anthing that looks unusual.

If there are problems with your applications and sites that allow attacks due to expoits and holes, rebuilding the domain isnt going to help that. Ideally you should have a security firm come in and run an audit to see what vulerabilities you may have, either by accident or intentionally.

I would also create a log server and crank up the reporting from all of your devices, that way if there is some intrusion, hopefully you will have records of what was done and by whom so you can address the issue and have some kind of records for legal actions.

In addition to all the good advice above, it may be worth sitting with your boss, MD or whoever, explain the risks you percieve and what you're doing about it, areas you may need help with, and above all, explain that some of the actions you take WILL cause user pain, but that it's nothing comared to the pain the company will feel if you don't. Of course, this also depends on how much you're supposed to know about the situation.